npm - node-opcua-pki - Versions diffs - 6.2.0 → 6.4.0 - Mend

node-opcua-pki 6.2.0 → 6.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -1132,7 +1132,7 @@ var CertificateAuthority = class {
 };
 // packages/node-opcua-pki/lib/ca/crypto_create_CA.ts
-var import_node_assert11 = __toESM(require("assert"));
+var import_node_assert10 = __toESM(require("assert"));
 var import_node_fs10 = __toESM(require("fs"));
 var import_node_module = require("module");
 var import_node_os4 = __toESM(require("os"));
@@ -1213,7 +1213,6 @@ function getFullyQualifiedDomainName(optional_max_length) {
 prepareFQDN();
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
-var import_node_assert10 = __toESM(require("assert"));
 var import_node_fs9 = __toESM(require("fs"));
 var import_node_path6 = __toESM(require("path"));
 var import_global_mutex = require("@ster5/global-mutex");
@@ -1298,6 +1297,12 @@ var simple_config_template_cnf_default = config3;
 // packages/node-opcua-pki/lib/pki/certificate_manager.ts
 var configurationFileSimpleTemplate = simple_config_template_cnf_default;
 var fsWriteFile = import_node_fs9.default.promises.writeFile;
+function getOrComputeInfo(entry) {
+  if (!entry.info) {
+    entry.info = (0, import_node_opcua_crypto5.exploreCertificate)(entry.certificate);
+  }
+  return entry.info;
+}
 var VerificationStatus = /* @__PURE__ */ ((VerificationStatus2) => {
   VerificationStatus2["BadCertificateInvalid"] = "BadCertificateInvalid";
   VerificationStatus2["BadSecurityChecksFailed"] = "BadSecurityChecksFailed";
@@ -1335,11 +1340,10 @@ function buildIdealCertificateName(certificate) {
   }
 }
 function findMatchingIssuerKey(entries, wantedIssuerKey) {
-  const selected = entries.filter(({ certificate }) => {
-    const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
+  return entries.filter((entry) => {
+    const info = getOrComputeInfo(entry);
     return info.tbsCertificate.extensions && info.tbsCertificate.extensions.subjectKeyIdentifier === wantedIssuerKey;
   });
-  return selected;
 }
 function isSelfSigned2(info) {
   return info.tbsCertificate.extensions?.subjectKeyIdentifier === info.tbsCertificate.extensions?.authorityKeyIdentifier?.keyIdentifier;
@@ -1385,26 +1389,35 @@ var CertificateManagerState = /* @__PURE__ */ ((CertificateManagerState2) => {
 var CertificateManager = class {
   untrustUnknownCertificate = true;
   state = 0 /* Uninitialized */;
+  /** @deprecated Use {@link folderPollingInterval} instead (typo fix). */
   folderPoolingInterval = 5e3;
+  /** Interval in milliseconds for file-system polling (when enabled). */
+  get folderPollingInterval() {
+    return this.folderPoolingInterval;
+  }
+  set folderPollingInterval(value) {
+    this.folderPoolingInterval = value;
+  }
   keySize;
   location;
   _watchers = [];
   _readCertificatesCalled = false;
-  _filenameToHash = {};
+  _filenameToHash = /* @__PURE__ */ new Map();
+  _initializingPromise;
   _thumbs = {
-    rejected: {},
-    trusted: {},
+    rejected: /* @__PURE__ */ new Map(),
+    trusted: /* @__PURE__ */ new Map(),
     issuers: {
-      certs: {}
+      certs: /* @__PURE__ */ new Map()
     },
-    crl: {},
-    issuersCrl: {}
+    crl: /* @__PURE__ */ new Map(),
+    issuersCrl: /* @__PURE__ */ new Map()
   };
   constructor(options) {
     options.keySize = options.keySize || 2048;
-    (0, import_node_assert10.default)(Object.prototype.hasOwnProperty.call(options, "location"));
-    (0, import_node_assert10.default)(Object.prototype.hasOwnProperty.call(options, "keySize"));
-    (0, import_node_assert10.default)(this.state === 0 /* Uninitialized */);
+    if (!options.location) {
+      throw new Error("CertificateManager: missing 'location' option");
+    }
     this.location = makePath(options.location, "");
     this.keySize = options.keySize;
     mkdirRecursiveSync(options.location);
@@ -1432,15 +1445,11 @@ var CertificateManager = class {
     await this.initialize();
     let status = await this._checkRejectedOrTrusted(certificate);
     if (status === "unknown") {
-      (0, import_node_assert10.default)(certificate instanceof Buffer);
       const pem = (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE");
       const fingerprint2 = makeFingerprint(certificate);
       const filename = import_node_path6.default.join(this.rejectedFolder, `${buildIdealCertificateName(certificate)}.pem`);
       await import_node_fs9.default.promises.writeFile(filename, pem);
-      this._thumbs.rejected[fingerprint2] = {
-        certificate,
-        filename
-      };
+      this._thumbs.rejected.set(fingerprint2, { certificate, filename });
       status = "rejected";
     }
     return status;
@@ -1491,30 +1500,27 @@ var CertificateManager = class {
    */
   async isCertificateTrusted(certificate) {
     const fingerprint2 = makeFingerprint(certificate);
-    const certificateInTrust = this._thumbs.trusted[fingerprint2]?.certificate;
-    if (certificateInTrust) {
+    if (this._thumbs.trusted.has(fingerprint2)) {
       return "Good";
-    } else {
-      const certificateInRejected = this._thumbs.rejected[fingerprint2];
-      if (!certificateInRejected) {
-        const certificateFilenameInRejected = import_node_path6.default.join(
-          this.rejectedFolder,
-          `${buildIdealCertificateName(certificate)}.pem`
-        );
-        if (!this.untrustUnknownCertificate) {
-          return "Good";
-        }
-        try {
-          const _certificateInfo = (0, import_node_opcua_crypto5.exploreCertificateInfo)(certificate);
-          _certificateInfo;
-        } catch (_err) {
-          return "BadCertificateInvalid";
-        }
-        debugLog("certificate has never been seen before and is now rejected (untrusted) ", certificateFilenameInRejected);
-        await fsWriteFile(certificateFilenameInRejected, (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE"));
+    }
+    if (!this._thumbs.rejected.has(fingerprint2)) {
+      if (!this.untrustUnknownCertificate) {
+        return "Good";
+      }
+      try {
+        (0, import_node_opcua_crypto5.exploreCertificateInfo)(certificate);
+      } catch (_err) {
+        return "BadCertificateInvalid";
       }
-      return "BadCertificateUntrusted";
+      const filename = import_node_path6.default.join(
+        this.rejectedFolder,
+        `${buildIdealCertificateName(certificate)}.pem`
+      );
+      debugLog("certificate has never been seen before and is now rejected (untrusted) ", filename);
+      await fsWriteFile(filename, (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE"));
+      this._thumbs.rejected.set(fingerprint2, { certificate, filename });
     }
+    return "BadCertificateUntrusted";
   }
   async _innerVerifyCertificateAsync(certificate, _isIssuer, level, options) {
     if (level >= 5) {
@@ -1609,7 +1615,7 @@ var CertificateManager = class {
       return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
     }
     const _c2 = chain[1] ? (0, import_node_opcua_crypto5.exploreCertificateInfo)(chain[1]) : "non";
-    _c2;
+    debugLog("chain[1] info=", _c2);
     const certificateInfo = (0, import_node_opcua_crypto5.exploreCertificateInfo)(certificate);
     const now = /* @__PURE__ */ new Date();
     let isTimeInvalid = false;
@@ -1632,7 +1638,6 @@ var CertificateManager = class {
     if (status === "trusted") {
       return isTimeInvalid ? "BadCertificateTimeInvalid" /* BadCertificateTimeInvalid */ : "Good" /* Good */;
     }
-    (0, import_node_assert10.default)(status === "unknown");
     if (hasIssuerKey) {
       if (!hasTrustedIssuer) {
         return "BadCertificateUntrusted" /* BadCertificateUntrusted */;
@@ -1675,7 +1680,9 @@ var CertificateManager = class {
       return;
     }
     this.state = 1 /* Initializing */;
-    await this._initialize();
+    this._initializingPromise = this._initialize();
+    await this._initializingPromise;
+    this._initializingPromise = void 0;
     this.state = 2 /* Initialized */;
   }
   async _initialize() {
@@ -1694,11 +1701,9 @@ var CertificateManager = class {
     mkdirRecursiveSync(import_node_path6.default.join(pkiDir, "issuers/crl"));
     if (!import_node_fs9.default.existsSync(this.configFile) || !import_node_fs9.default.existsSync(this.privateKey)) {
       return await this.withLock2(async () => {
-        (0, import_node_assert10.default)(this.state !== 3 /* Disposing */);
-        if (this.state === 4 /* Disposed */) {
+        if (this.state === 3 /* Disposing */ || this.state === 4 /* Disposed */) {
           return;
         }
-        (0, import_node_assert10.default)(this.state === 1 /* Initializing */);
         if (!import_node_fs9.default.existsSync(this.configFile)) {
           import_node_fs9.default.writeFileSync(this.configFile, configurationFileSimpleTemplate);
         }
@@ -1728,8 +1733,9 @@ var CertificateManager = class {
       return;
     }
     if (this.state === 1 /* Initializing */) {
-      await new Promise((resolve) => setTimeout(resolve, 100));
-      return await this.dispose();
+      if (this._initializingPromise) {
+        await this._initializingPromise;
+      }
     }
     try {
       this.state = 3 /* Disposing */;
@@ -1742,6 +1748,30 @@ var CertificateManager = class {
       this.state = 4 /* Disposed */;
     }
   }
+  /**
+   * Force a full re-scan of all PKI folders, rebuilding
+   * the in-memory `_thumbs` index from scratch.
+   *
+   * Call this after external processes have modified the
+   * PKI folders (e.g. via `writeTrustList` or CLI tools)
+   * to ensure the CertificateManager sees the latest
+   * state without waiting for file-system events.
+   */
+  async reloadCertificates() {
+    await Promise.all(this._watchers.map((w) => w.close()));
+    for (const w of this._watchers) {
+      w.removeAllListeners();
+    }
+    this._watchers.splice(0);
+    this._thumbs.rejected.clear();
+    this._thumbs.trusted.clear();
+    this._thumbs.issuers.certs.clear();
+    this._thumbs.crl.clear();
+    this._thumbs.issuersCrl.clear();
+    this._filenameToHash.clear();
+    this._readCertificatesCalled = false;
+    await this._readCertificates();
+  }
   async withLock2(action) {
     const lockFileName = import_node_path6.default.join(this.rootDir, "mutex.lock");
     return (0, import_global_mutex.withLock)({ fileToLock: lockFileName }, async () => {
@@ -1754,7 +1784,9 @@ var CertificateManager = class {
    *
    */
   async createSelfSignedCertificate(params) {
-    (0, import_node_assert10.default)(typeof params.applicationUri === "string", "expecting applicationUri");
+    if (typeof params.applicationUri !== "string") {
+      throw new Error("createSelfSignedCertificate: expecting applicationUri to be a string");
+    }
     if (!import_node_fs9.default.existsSync(this.privateKey)) {
       throw new Error(`Cannot find private key ${this.privateKey}`);
     }
@@ -1770,14 +1802,13 @@ var CertificateManager = class {
     });
   }
   async createCertificateRequest(params) {
-    (0, import_node_assert10.default)(params);
+    if (!params) {
+      throw new Error("params is required");
+    }
     const _params = params;
     if (Object.prototype.hasOwnProperty.call(_params, "rootDir")) {
       throw new Error("rootDir should not be specified ");
     }
-    (0, import_node_assert10.default)(!_params.rootDir);
-    (0, import_node_assert10.default)(!_params.configFile);
-    (0, import_node_assert10.default)(!_params.privateKey);
     _params.rootDir = import_node_path6.default.resolve(this.rootDir);
     _params.configFile = import_node_path6.default.resolve(this.configFile);
     _params.privateKey = import_node_path6.default.resolve(this.privateKey);
@@ -1806,12 +1837,12 @@ var CertificateManager = class {
     }
     const pemCertificate = (0, import_node_opcua_crypto5.toPem)(certificate, "CERTIFICATE");
     const fingerprint2 = makeFingerprint(certificate);
-    if (this._thumbs.issuers.certs[fingerprint2]) {
+    if (this._thumbs.issuers.certs.has(fingerprint2)) {
       return "Good" /* Good */;
     }
     const filename = import_node_path6.default.join(this.issuersCertFolder, `issuer_${buildIdealCertificateName(certificate)}.pem`);
     await import_node_fs9.default.promises.writeFile(filename, pemCertificate, "ascii");
-    this._thumbs.issuers.certs[fingerprint2] = { certificate, filename };
+    this._thumbs.issuers.certs.set(fingerprint2, { certificate, filename });
     if (addInTrustList) {
       await this.trustCertificate(certificate);
     }
@@ -1829,8 +1860,8 @@ var CertificateManager = class {
         const folder = target === "trusted" ? this.crlFolder : this.issuersCrlFolder;
         const crlInfo = (0, import_node_opcua_crypto5.exploreCertificateRevocationList)(crl);
         const key = crlInfo.tbsCertList.issuerFingerprint;
-        if (!index[key]) {
-          index[key] = { crls: [], serialNumbers: {} };
+        if (!index.has(key)) {
+          index.set(key, { crls: [], serialNumbers: {} });
         }
         const pemCertificate = (0, import_node_opcua_crypto5.toPem)(crl, "X509 CRL");
         const filename = import_node_path6.default.join(folder, `crl_${buildIdealCertificateName(crl)}.pem`);
@@ -1865,9 +1896,7 @@ var CertificateManager = class {
           throw err;
         }
       }
-      for (const key of Object.keys(index)) {
-        delete index[key];
-      }
+      index.clear();
     };
     if (target === "issuers" || target === "all") {
       await clearFolder(this.issuersCrlFolder, this._thumbs.issuersCrl);
@@ -1884,7 +1913,7 @@ var CertificateManager = class {
   async hasIssuer(thumbprint) {
     await this._readCertificates();
     const normalized = thumbprint.toLowerCase();
-    return Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, normalized);
+    return this._thumbs.issuers.certs.has(normalized);
   }
   /**
    * Remove a trusted certificate identified by its SHA-1 thumbprint.
@@ -1896,7 +1925,7 @@ var CertificateManager = class {
   async removeTrustedCertificate(thumbprint) {
     await this._readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.trusted[normalized];
+    const entry = this._thumbs.trusted.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1907,7 +1936,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.trusted[normalized];
+    this._thumbs.trusted.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1920,7 +1949,7 @@ var CertificateManager = class {
   async removeIssuer(thumbprint) {
     await this._readCertificates();
     const normalized = thumbprint.toLowerCase();
-    const entry = this._thumbs.issuers.certs[normalized];
+    const entry = this._thumbs.issuers.certs.get(normalized);
     if (!entry) {
       return null;
     }
@@ -1931,7 +1960,7 @@ var CertificateManager = class {
         throw err;
       }
     }
-    delete this._thumbs.issuers.certs[normalized];
+    this._thumbs.issuers.certs.delete(normalized);
     return entry.certificate;
   }
   /**
@@ -1944,7 +1973,7 @@ var CertificateManager = class {
     const issuerInfo = (0, import_node_opcua_crypto5.exploreCertificate)(issuerCertificate);
     const issuerFingerprint = issuerInfo.tbsCertificate.subjectFingerPrint;
     const processIndex = async (index) => {
-      const crlData = index[issuerFingerprint];
+      const crlData = index.get(issuerFingerprint);
       if (!crlData) return;
       for (const crlEntry of crlData.crls) {
         try {
@@ -1955,7 +1984,7 @@ var CertificateManager = class {
           }
         }
       }
-      delete index[issuerFingerprint];
+      index.delete(issuerFingerprint);
     };
     if (target === "issuers" || target === "all") {
       await processIndex(this._thumbs.issuersCrl);
@@ -1988,16 +2017,28 @@ var CertificateManager = class {
     } catch (_err) {
       return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
-    const status = await this.verifyCertificate(leafCertificate, {
-      ignoreMissingRevocationList: true
-    });
-    if (status !== "Good" /* Good */ && status !== "BadCertificateUntrusted" /* BadCertificateUntrusted */) {
-      return status;
+    const result = await (0, import_node_opcua_crypto5.verifyCertificateChain)([leafCertificate]);
+    if (result.status !== "Good") {
+      return "BadCertificateInvalid" /* BadCertificateInvalid */;
     }
     if (certificates.length > 1) {
+      const issuerFolder = this.issuersCertFolder;
+      const issuerThumbprints = /* @__PURE__ */ new Set();
+      const files = await import_node_fs9.default.promises.readdir(issuerFolder);
+      for (const file of files) {
+        const ext = import_node_path6.default.extname(file).toLowerCase();
+        if (ext === ".pem" || ext === ".der") {
+          try {
+            const issuerCert = (0, import_node_opcua_crypto5.readCertificate)(import_node_path6.default.join(issuerFolder, file));
+            const fp = makeFingerprint(issuerCert);
+            issuerThumbprints.add(fp);
+          } catch (_err) {
+          }
+        }
+      }
       for (const issuerCert of certificates.slice(1)) {
         const thumbprint = makeFingerprint(issuerCert);
-        if (!Object.prototype.hasOwnProperty.call(this._thumbs.issuers.certs, thumbprint)) {
+        if (!issuerThumbprints.has(thumbprint)) {
           return "BadCertificateChainIncomplete" /* BadCertificateChainIncomplete */;
         }
       }
@@ -2019,7 +2060,7 @@ var CertificateManager = class {
    */
   async isIssuerInUseByTrustedCertificate(issuerCertificate) {
     await this._readCertificates();
-    for (const entry of Object.values(this._thumbs.trusted)) {
+    for (const entry of this._thumbs.trusted.values()) {
       if (!entry.certificate) continue;
       try {
         if ((0, import_node_opcua_crypto5.verifyCertificateSignature)(entry.certificate, issuerCertificate)) {
@@ -2054,7 +2095,7 @@ var CertificateManager = class {
       debugLog("Certificate has no extension 3");
       return null;
     }
-    const issuerCertificates = Object.values(this._thumbs.issuers.certs);
+    const issuerCertificates = [...this._thumbs.issuers.certs.values()];
     const selectedIssuerCertificates = findMatchingIssuerKey(issuerCertificates, wantedIssuerKey);
     if (selectedIssuerCertificates.length > 0) {
       if (selectedIssuerCertificates.length > 1) {
@@ -2062,7 +2103,7 @@ var CertificateManager = class {
       }
       return selectedIssuerCertificates[0].certificate || null;
     }
-    const trustedCertificates = Object.values(this._thumbs.trusted);
+    const trustedCertificates = [...this._thumbs.trusted.values()];
     const selectedTrustedCertificates = findMatchingIssuerKey(trustedCertificates, wantedIssuerKey);
     if (selectedTrustedCertificates.length > 1) {
       warningLog(
@@ -2078,48 +2119,47 @@ var CertificateManager = class {
    * @private
    */
   async _checkRejectedOrTrusted(certificate) {
-    (0, import_node_assert10.default)(certificate instanceof Buffer);
     const fingerprint2 = makeFingerprint(certificate);
     debugLog("_checkRejectedOrTrusted fingerprint ", short(fingerprint2));
     await this._readCertificates();
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.rejected, fingerprint2)) {
+    if (this._thumbs.rejected.has(fingerprint2)) {
       return "rejected";
     }
-    if (Object.prototype.hasOwnProperty.call(this._thumbs.trusted, fingerprint2)) {
+    if (this._thumbs.trusted.has(fingerprint2)) {
       return "trusted";
     }
     return "unknown";
   }
   async _moveCertificate(certificate, newStatus) {
-    (0, import_node_assert10.default)(certificate instanceof Buffer);
-    const fingerprint2 = makeFingerprint(certificate);
-    const status = await this.getCertificateStatus(certificate);
-    debugLog("_moveCertificate", fingerprint2.substring(0, 10), "from", status, "to", newStatus);
-    (0, import_node_assert10.default)(status === "rejected" || status === "trusted");
-    if (status !== newStatus) {
-      const indexSrc = status === "rejected" ? this._thumbs.rejected : this._thumbs.trusted;
-      const certificateSrc = indexSrc[fingerprint2]?.filename;
-      if (!certificateSrc) {
-        debugLog(" cannot find certificate ", fingerprint2.substring(0, 10), " in", this._thumbs, [status]);
-        throw new Error("internal");
+    await this.withLock2(async () => {
+      const fingerprint2 = makeFingerprint(certificate);
+      const status = await this.getCertificateStatus(certificate);
+      debugLog("_moveCertificate", fingerprint2.substring(0, 10), "from", status, "to", newStatus);
+      if (status !== "rejected" && status !== "trusted") {
+        throw new Error(`_moveCertificate: unexpected status '${status}' for certificate ${fingerprint2.substring(0, 10)}`);
       }
-      const destFolder = newStatus === "rejected" ? this.rejectedFolder : newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
-      const certificateDest = import_node_path6.default.join(destFolder, import_node_path6.default.basename(certificateSrc));
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "old name", certificateSrc);
-      debugLog("_moveCertificate1", fingerprint2.substring(0, 10), "new name", certificateDest);
-      await import_node_fs9.default.promises.rename(certificateSrc, certificateDest);
-      delete indexSrc[fingerprint2];
-      const indexDest = newStatus === "rejected" ? this._thumbs.rejected : newStatus === "trusted" ? this._thumbs.trusted : this._thumbs.rejected;
-      indexDest[fingerprint2] = {
-        certificate,
-        filename: certificateDest
-      };
-    }
+      if (status !== newStatus) {
+        const indexSrc = status === "rejected" ? this._thumbs.rejected : this._thumbs.trusted;
+        const srcEntry = indexSrc.get(fingerprint2);
+        if (!srcEntry) {
+          debugLog(" cannot find certificate ", fingerprint2.substring(0, 10), " in", status);
+          throw new Error(`_moveCertificate: certificate ${fingerprint2.substring(0, 10)} not found in ${status} index`);
+        }
+        const destFolder = newStatus === "trusted" ? this.trustedFolder : this.rejectedFolder;
+        const certificateDest = import_node_path6.default.join(destFolder, import_node_path6.default.basename(srcEntry.filename));
+        debugLog("_moveCertificate", fingerprint2.substring(0, 10), "old name", srcEntry.filename);
+        debugLog("_moveCertificate", fingerprint2.substring(0, 10), "new name", certificateDest);
+        await import_node_fs9.default.promises.rename(srcEntry.filename, certificateDest);
+        indexSrc.delete(fingerprint2);
+        const indexDest = newStatus === "trusted" ? this._thumbs.trusted : this._thumbs.rejected;
+        indexDest.set(fingerprint2, { certificate, filename: certificateDest });
+      }
+    });
   }
   _findAssociatedCRLs(issuerCertificate) {
     const issuerCertificateInfo = (0, import_node_opcua_crypto5.exploreCertificate)(issuerCertificate);
     const key = issuerCertificateInfo.tbsCertificate.subjectFingerPrint;
-    return this._thumbs.issuersCrl[key] ? this._thumbs.issuersCrl[key] : this._thumbs.crl[key] ? this._thumbs.crl[key] : null;
+    return this._thumbs.issuersCrl.get(key) ?? this._thumbs.crl.get(key) ?? null;
   }
   async isCertificateRevoked(certificate, issuerCertificate) {
     if (isSelfSigned3(certificate)) {
@@ -2138,7 +2178,7 @@ var CertificateManager = class {
     const certInfo = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
     const serialNumber = certInfo.tbsCertificate.serialNumber || certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.serial || "";
     const key = certInfo.tbsCertificate.extensions?.authorityKeyIdentifier?.authorityCertIssuerFingerPrint || "<unknown>";
-    const crl2 = this._thumbs.crl[key] || null;
+    const crl2 = this._thumbs.crl.get(key) ?? null;
     if (crls.serialNumbers[serialNumber] || crl2?.serialNumbers[serialNumber]) {
       return "BadCertificateRevoked" /* BadCertificateRevoked */;
     }
@@ -2163,19 +2203,18 @@ var CertificateManager = class {
       const crlInfo = (0, import_node_opcua_crypto5.exploreCertificateRevocationList)(crl);
       debugLog(import_chalk6.default.cyan("add CRL in folder "), filename);
       const fingerprint2 = crlInfo.tbsCertList.issuerFingerprint;
-      index[fingerprint2] = index[fingerprint2] || {
-        crls: [],
-        serialNumbers: {}
-      };
-      index[fingerprint2].crls.push({ crlInfo, filename });
-      const serialNumbers = index[fingerprint2].serialNumbers;
+      if (!index.has(fingerprint2)) {
+        index.set(fingerprint2, { crls: [], serialNumbers: {} });
+      }
+      const data = index.get(fingerprint2) || { crls: [], serialNumbers: {} };
+      data.crls.push({ crlInfo, filename });
       for (const revokedCertificate of crlInfo.tbsCertList.revokedCertificates) {
         const serialNumber = revokedCertificate.userCertificate;
-        if (!serialNumbers[serialNumber]) {
-          serialNumbers[serialNumber] = revokedCertificate.revocationDate;
+        if (!data.serialNumbers[serialNumber]) {
+          data.serialNumbers[serialNumber] = revokedCertificate.revocationDate;
         }
       }
-      debugLog(import_chalk6.default.cyan("CRL"), fingerprint2, "serial numbers = ", Object.keys(serialNumbers));
+      debugLog(import_chalk6.default.cyan("CRL"), fingerprint2, "serial numbers = ", Object.keys(data.serialNumbers));
     } catch (err) {
       debugLog("CRL filename error =");
       debugLog(err);
@@ -2195,28 +2234,28 @@ var CertificateManager = class {
       return;
     }
     this._readCertificatesCalled = true;
+    const usePolling = process.env.OPCUA_PKI_USE_POLLING === "true";
     const options = {
-      usePolling: true,
-      interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)),
-      persistent: false,
-      awaitWriteFinish: {
-        stabilityThreshold: 2e3,
-        pollInterval: 600
-      }
+      usePolling,
+      ...usePolling ? { interval: Math.min(10 * 60 * 1e3, Math.max(100, this.folderPoolingInterval)) } : {},
+      persistent: false
     };
     async function _walkCRLFiles(folder, index) {
       await new Promise((resolve, _reject) => {
         const w = import_chokidar.default.watch(folder, options);
-        w.on("unlink", (filename, stat) => {
-          filename;
-          stat;
+        w.on("unlink", (filename) => {
+          for (const [key, data] of index.entries()) {
+            data.crls = data.crls.filter((c) => c.filename !== filename);
+            if (data.crls.length === 0) {
+              index.delete(key);
+            }
+          }
         });
-        w.on("add", (filename, stat) => {
-          stat;
+        w.on("add", (filename) => {
           this._on_crl_file_added(index, filename);
         });
-        w.on("change", (path8, stat) => {
-          debugLog("change in folder ", folder, path8, stat);
+        w.on("change", (changedPath) => {
+          debugLog("change in folder ", folder, changedPath);
         });
         this._watchers.push(w);
         w.on("ready", () => {
@@ -2226,26 +2265,21 @@ var CertificateManager = class {
     }
     async function _walkAllFiles(folder, index) {
       const w = import_chokidar.default.watch(folder, options);
-      w.on("unlink", (filename, stat) => {
-        stat;
+      w.on("unlink", (filename) => {
         debugLog(import_chalk6.default.cyan(`unlink in folder ${folder}`), filename);
-        const h = this._filenameToHash[filename];
-        if (h && index[h]) {
-          delete index[h];
+        const h = this._filenameToHash.get(filename);
+        if (h && index.has(h)) {
+          index.delete(h);
         }
       });
-      w.on("add", (filename, stat) => {
-        stat;
+      w.on("add", (filename) => {
         debugLog(import_chalk6.default.cyan(`add in folder ${folder}`), filename);
         try {
           const certificate = (0, import_node_opcua_crypto5.readCertificate)(filename);
           const info = (0, import_node_opcua_crypto5.exploreCertificate)(certificate);
           const fingerprint2 = makeFingerprint(certificate);
-          index[fingerprint2] = {
-            certificate,
-            filename
-          };
-          this._filenameToHash[filename] = fingerprint2;
+          index.set(fingerprint2, { certificate, filename, info });
+          this._filenameToHash.set(filename, fingerprint2);
           debugLog(
             import_chalk6.default.magenta("CERT"),
             info.tbsCertificate.subjectFingerPrint,
@@ -2257,15 +2291,26 @@ var CertificateManager = class {
           debugLog(err);
         }
       });
-      w.on("change", (path8, stat) => {
-        stat;
-        debugLog("change in folder ", folder, path8);
+      w.on("change", (changedPath) => {
+        debugLog(import_chalk6.default.cyan(`change in folder ${folder}`), changedPath);
+        try {
+          const certificate = (0, import_node_opcua_crypto5.readCertificate)(changedPath);
+          const newFingerprint = makeFingerprint(certificate);
+          const oldHash = this._filenameToHash.get(changedPath);
+          if (oldHash && oldHash !== newFingerprint) {
+            index.delete(oldHash);
+          }
+          index.set(newFingerprint, { certificate, filename: changedPath, info: (0, import_node_opcua_crypto5.exploreCertificate)(certificate) });
+          this._filenameToHash.set(changedPath, newFingerprint);
+        } catch (err) {
+          debugLog(`change event: failed to re-read ${changedPath}`, err);
+        }
       });
       this._watchers.push(w);
       await new Promise((resolve, _reject) => {
         w.on("ready", () => {
           debugLog("ready");
-          debugLog(Object.entries(index).map((kv) => kv[0].substring(0, 10)));
+          debugLog([...index.keys()].map((k) => k.substring(0, 10)));
           resolve();
         });
       });
@@ -2311,8 +2356,8 @@ var next_year = get_offset_date(today, 365);
 var gLocalConfig = {};
 var g_certificateAuthority;
 async function construct_CertificateAuthority2(subject) {
-  (0, import_node_assert11.default)(typeof gLocalConfig.CAFolder === "string", "expecting a CAFolder in config");
-  (0, import_node_assert11.default)(typeof gLocalConfig.keySize === "number", "expecting a keySize in config");
+  (0, import_node_assert10.default)(typeof gLocalConfig.CAFolder === "string", "expecting a CAFolder in config");
+  (0, import_node_assert10.default)(typeof gLocalConfig.keySize === "number", "expecting a keySize in config");
   if (!g_certificateAuthority) {
     g_certificateAuthority = new CertificateAuthority({
       keySize: gLocalConfig.keySize,
@@ -2324,7 +2369,7 @@ async function construct_CertificateAuthority2(subject) {
 }
 var certificateManager;
 async function construct_CertificateManager() {
-  (0, import_node_assert11.default)(typeof gLocalConfig.PKIFolder === "string", "expecting a PKIFolder in config");
+  (0, import_node_assert10.default)(typeof gLocalConfig.PKIFolder === "string", "expecting a PKIFolder in config");
   if (!certificateManager) {
     certificateManager = new CertificateManager({
       keySize: gLocalConfig.keySize,
@@ -2351,7 +2396,7 @@ function default_template_content() {
     return default_config_template2;
   }
   const default_config_template = find_default_config_template();
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(default_config_template));
+  (0, import_node_assert10.default)(import_node_fs10.default.existsSync(default_config_template));
   const default_config_template_content = import_node_fs10.default.readFileSync(default_config_template, "utf8");
   return default_config_template_content;
 }
@@ -2363,7 +2408,7 @@ function find_module_root_folder() {
     }
     rootFolder = import_node_path7.default.join(rootFolder, "..");
   }
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(import_node_path7.default.join(rootFolder, "package.json")), "root folder must have a package.json file");
+  (0, import_node_assert10.default)(import_node_fs10.default.existsSync(import_node_path7.default.join(rootFolder, "package.json")), "root folder must have a package.json file");
   return rootFolder;
 }
 async function readConfiguration(argv) {
@@ -2392,10 +2437,10 @@ async function readConfiguration(argv) {
     return makePath(tmp);
   }
   certificateDir = argv.root;
-  (0, import_node_assert11.default)(typeof certificateDir === "string");
+  (0, import_node_assert10.default)(typeof certificateDir === "string");
   certificateDir = prepare(certificateDir);
   mkdirRecursiveSync(certificateDir);
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(certificateDir));
+  (0, import_node_assert10.default)(import_node_fs10.default.existsSync(certificateDir));
   const default_config = import_node_path7.default.join(certificateDir, "config.js");
   if (!import_node_fs10.default.existsSync(default_config)) {
     debugLog(import_chalk7.default.yellow(" Creating default g_config file "), import_chalk7.default.cyan(default_config));
@@ -2460,7 +2505,7 @@ async function readConfiguration(argv) {
   }
 }
 async function createDefaultCertificate(base_name, prefix, key_length, applicationUri, dev) {
-  (0, import_node_assert11.default)(key_length === 1024 || key_length === 2048 || key_length === 3072 || key_length === 4096);
+  (0, import_node_assert10.default)(key_length === 1024 || key_length === 2048 || key_length === 3072 || key_length === 4096);
   const private_key_file = makePath(base_name, `${prefix}key_${key_length}.pem`);
   const public_key_file = makePath(base_name, `${prefix}public_key_${key_length}.pub`);
   const certificate_file = makePath(base_name, `${prefix}cert_${key_length}.pem`);
@@ -2566,9 +2611,9 @@ async function wrap(func) {
   }
 }
 async function create_default_certificates(dev) {
-  (0, import_node_assert11.default)(gLocalConfig);
+  (0, import_node_assert10.default)(gLocalConfig);
   const base_name = gLocalConfig.certificateDir || "";
-  (0, import_node_assert11.default)(import_node_fs10.default.existsSync(base_name));
+  (0, import_node_assert10.default)(import_node_fs10.default.existsSync(base_name));
   let clientURN;
   let serverURN;
   let discoveryServerURN;
@@ -2723,7 +2768,7 @@ ${epilog}`
       await readConfiguration(local_argv);
       if (local_argv.clean) {
         displayTitle("Cleaning old certificates");
-        (0, import_node_assert11.default)(gLocalConfig);
+        (0, import_node_assert10.default)(gLocalConfig);
         const certificateDir = gLocalConfig.certificateDir || "";
         const files = await import_node_fs10.default.promises.readdir(certificateDir);
         for (const file of files) {
@@ -2835,7 +2880,7 @@ ${epilog}`
       await readConfiguration(local_argv2);
       await construct_CertificateManager();
       await construct_CertificateAuthority2("");
-      (0, import_node_assert11.default)(import_node_fs10.default.existsSync(gLocalConfig.CAFolder || ""), " CA folder must exist");
+      (0, import_node_assert10.default)(import_node_fs10.default.existsSync(gLocalConfig.CAFolder || ""), " CA folder must exist");
       gLocalConfig.privateKey = void 0;
       gLocalConfig.subject = local_argv2.subject && local_argv2.subject.length > 1 ? local_argv2.subject : gLocalConfig.subject;
       const csr_file = await certificateManager.createCertificateRequest(
@@ -2854,7 +2899,7 @@ ${epilog}`
         csr_file,
         gLocalConfig
       );
-      (0, import_node_assert11.default)(typeof gLocalConfig.outputFile === "string");
+      (0, import_node_assert10.default)(typeof gLocalConfig.outputFile === "string");
       import_node_fs10.default.writeFileSync(gLocalConfig.outputFile || "", import_node_fs10.default.readFileSync(certificate, "ascii"));
     }
     await wrap(async () => await command_certificate(local_argv));
@@ -2988,7 +3033,7 @@ ${epilog}`
         csr_file,
         gLocalConfig
       );
-      (0, import_node_assert11.default)(typeof gLocalConfig.outputFile === "string");
+      (0, import_node_assert10.default)(typeof gLocalConfig.outputFile === "string");
       import_node_fs10.default.writeFileSync(gLocalConfig.outputFile || "", import_node_fs10.default.readFileSync(certificate, "ascii"));
     });
     return;